Maryland Student Data Breach Origin Disputed

Frederick County says the state Education Department was hacked. But the Education Department says otherwise, and the incident happened so long ago that it's not clear who was hacked.

by Luke Broadwater, The Baltimore Sun / December 21, 2016 0

(TNS) — School officials in Frederick County say the Social Security numbers and personal information of 1,000 former students have been stolen.

Frederick County public schools officials said in a news release Sunday that the data was stolen in a hack that occurred before 2010 and affected students who attended the school system in 2005 and 2006. The information stolen included names, Social Security numbers and dates of birth.

Frederick officials said they worked with the FBI, the Maryland attorney general's office and state education officials on an "extremely thorough" investigation that was completed this month.

But county and state officials have reached different conclusions about the origins of the attack.

Frederick officials said the data might have been stolen from the Maryland State Department of Education system. State officials deny that.

"Because the breach occurred so long ago, it is impossible to definitively identify its source," Frederick school officials said in the news release. "However, the investigation indicated that the information may have been obtained from the MSDE system. ... Indeed, MSDE determined that its system was attacked. It has since taken steps to increase the security of its system."

William Reinhard, a spokesman for the Maryland State Department of Education, said that statement "runs counter to the facts."

"There is no evidence that the breach occurred at the Maryland State Department of Education or, more specifically, that State Data systems were breached," Reinhard said in an email.

Frederick officials said they're taking steps to help former students whose personal information was compromised.

On an online forum called "Dark Stuff," a post from 2012 that is still visible offers to sell 20,000 Social Security numbers, including a "free" sample of 1,000 names and numbers from the Frederick County schools.

"We have been taking -- and will continue to take -- aggressive action on behalf of those affected," Frederick school officials said. "We are working to have compromised data removed from websites where it may appear."

Officials are offering services from Kroll, an online security firm, to protect victims' identities for one year. The services will include credit monitoring and resorting of identities. Schools officials are reaching out to former students with information about how to enroll in such services.

Reinhard said the Multistate Information Sharing and Analysis Center of the Department of Homeland Security completed a forensic investigation of the hack and could not determine exactly where the breach occurred, but found no evidence of a breach of the state system.

He said no addresses, telephone numbers or financial information were stolen.

"The Maryland State Department of Education takes seriously its responsibilities regarding personally identifiable information," he said in the email. "The Department currently deploys the latest in antivirus software and uses enhanced encryption. MSDE continuously reviews its security posture, processes and protocols."

©2016 The Baltimore Sun, distributed by Tribune Content Agency, LLC.